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(57) ABSTRACT 

A credential caching proxy server that handles credential 
caching for a set of wireless client devices is disclosed. The 
credential caching proxy server handles most credential 
transactions for wireless client devices that wish to access 
resources within a protected realm where the protected 
realm requires credentials. In one embodiment, the creden- 
tial caching proxy server intercepts and caches a wireless 
client's credentials when a credential is first sent from the 
wireless user agent to a protected server. The cached cre- 
dential will then be used for all requests to resources within 
the same protected realm. Thus, after first sending a first 
credential for accessing the resource in a particular realm, 
the wireless user agent does not need to attach the credential 
for all the subsequent requests for any other resources 
belong to the same realm. In an alternate embodiment, the 
proxy server sends a special request to the wireless client 
device requesting a credential for a particular resource. The 
special request may take the form of a simple pre formatted 
display page such that a "dumb terminal" wireless client 
device can be used to communicate with protected Internet 
resources even though the "dumb" wireless client device has 
no concept of authentication and authorization. 
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METHOD AND APPARATUS FOR CACHING requests to any other resources within the same realm 

CREDENTIALS IN PROXY SERVERS FOR without the need for user intervention. 

WIRELESS USER AGENTS In a wireless environment, the user agent (a thin client or 

a micro browser) exists on a wireless client device such as 
5 a cellular phone or a personal digital assistant (PDA) with 

FIELD OF THE INVENTION wireless communication capabilities. In such an 

™ . t . .....^ ,j c - i i environment, the user agent has the limited processing 

The present invention relates to the field of wireless data md m J F^rmcre, the amount of 

commumcation systems. In particular me present invention ^_ ication bandwidth is low and the cost of the com- 

discloses a method and apparatus for caching credentials in mun i cation bandwidth is high. Since the basic authentication 

proxy servers used by wireless client devices when access- systems defined in RFC2068 requires the credentials to be 

ing protected resources. continually passed with each request, the basic authentica- 

d An-rDnn\m ae tue rMi/nMn^w tion system is not efficient for a wireless environment 

BACKGROUND OF THE INVENTION ^ J ^ cliem devices have Umited processillg 

To enable commercial transactions on the global Internet, power and limited memory and the wireless infrastructure 

the parties communicating with each other must be able to 15 has limited data communication bandwidth, 

authenticate each other. Specifically, each party in a trans- SUMMARY OF THE INVENTION 

action must be certain that the person at the other end of the _ j ^ * 

transaction is who that party claims to be. One method of . ™ e P^f« uivent.on introduces a proxy server that 

... i- ...u.- ^ * handles credential caching for a set of wireless client devices 

authenticating a client system that: » attempting to connect ^ wish to ^ ^ Qn a 

to a server system is to require that the client system provide wfacrc tfac ^ KSOm(XS ^ crcdcntials In onc 
a credenual. A credential is the authentication information cmbodiment) me proxy server intercepts and caches a wire- 
used to authenticate a user who wants to access a protected lcss cUcnt > s crcdeatia i s whcQ a credential is first sent from 
resource such as a server. tne wirei^ user agent to a protected server on the Internet. 

A typical credential is a userid (user identifier) and 2$ To intercept the credential, the proxy server locates the 

password pair. Another common credential is a derived form credential in the headers of messages from wireless client 

of the userid and password pair such as a base-64 encoded devices wherein the examined credential headers are equiva- 

userid and password pair. For example, in the Internet lent to the HTTP "Authorization:" header. Once a credential 

environment, a base-64 encoded userid and password pair for a particular realm is found, the proxy server caches it in 

credential is widely used by World Wide Web servers to the memory (short term or long term) of the proxy server, 

authenticate client users before access to the desired server nc cached credential will then be used for aU requests to 

is allowed. Each World Wide Web server communicates resources within the same realm. Thus, after first sending a 

with the well-known HTTP protocol [RFC2068] and pro- firs J credential for accessing the resource in a particular 

vides varieties of resources such as HTML documents. Each rea ^> ! h f J™ 1 ™ u user *f nt does not need f 10 attach J he 

resource is identified by URI or URL[RFC2068]. „ credential for all the subsequent requests for any other 

^ \ , , 35 resources belong to the same realm. 

To protect a group of Internet resources from unautho- , n an ahernate embodimenlj when lhe proxy ^vm needs 

rized access, those resources are grouped into realms . a credential (p erhaps due to a refused request)> lhe proxy 

Each realm consists of a set of Internet resources that define server sends a spec i a i req uest to the wireless client device 

a protected space. When a user wants to access any resource reques ti ng a credential for a particular resource. The special 

within a particular realm, the user must provide a credential 40 requcst may take ^ f orm Q f a s i mp i c preformatted display 

that authenticates the user as an entity that is authorized to page such that a « dumb terminal » wireless client device can 

access resources within the realm. De t0 communicate with protected Internet resources 

HTTP protocol defines a standardized manner for a user even though the "dumb" wireless client device has no 

agent to submit a credential to an Internet server known as concept of authentication and authorization. 

Basic Authentication. Basic Authentication is defined in the 45 The teachings of the present invention provide several 

lETF's RFC 2068. In the basic authentication system, a user advantages. One of the most important advantages of the 

agent, also known as the web client or the web browser, first present invention is that the present invention reduces the 

accesses a protected resource as identified by the URL number of bits and bytes that must be transmitted over the 

without providing any credentials within the initial request low bandwidth and expensive wireless communication 

The Internet server denies access and sends back a status 5 0 infrastructure since a credential does not need to be sent for 

code 401 along with an HTTP header "WWW- every request mto a protected realm. Furthermore, the 

Authenticate:" that requests a credential to access the pro- present invention reduces the amount of memory used 

tected realm. The response with the "WWW-Authenticate:" w j tn i n eacn wireless client device since the wireless user 

header comprises a challenge response that includes a text agent does not nave to implement the mechanism for saving 

string identifying the realm the user agent is attempting to 55 the credentials nor does the wireless client device need to 

access. reserve memory to store the credentials. The present inven- 

The user agent (the web client or web browser) may then tion also relieves the wireless client device user from 

prompt the user to enter the credential information (a userid entering the credentials over and over again for accessing 

and password). After receiving credential information, the protected resources that belong to the same protected realm, 

user agent then resubmits the denied request along with the 60 0tner objects, together with the foregoing are attained in 

required credential information in an HTTP header "Autho- the exe rcise of the invention in the following description and 

nzation:" field. If the credential authenticates the user as an resulting in the embodiment illustrated in the accompanying 

entity that is allowed to access resources within the realm, drawings, 
then the Internet server grants access to the protected 

resources within the realm. The user agent (the web client or 65 BRIEF DESCRIPTION OF THE DRAWINGS 

web browser) may cache the credential so that user agent These and other features, aspects, and advantages of the 

will automatically attach the credential in any subsequent present invention will become better understood with regard 
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to the following description, appended claims, and accom- as a communication medium for data transmission there- 

panying drawings where: through. Airnet 102, in which the data transmission is via the 

FIG. 1 illustrates a schematic configuration in which the ™> fa sometimes referred to as a carrier network as well 

present invention may be practiced. ^ cause e f b 15 j^ D jL olled f u d °P erated b * a camer ' 

r - . . ,. 5 for example AT&T and GTE, each having its own commu- 

FIG. 2 illustrates a functional diagram of an Internet nicat ion scheme, such as CDPD, CDMA, GSM and TO MA 

proxy system for wireless client device wherein a credential for aimet 102 . The airnet 102 may comprise more than one 

cache is provided. different types of wireless network. For example, the airnet 

FIG. 3 illustrates a flow diagram that describes how a 102 may comprise a GSM wireless network for some 

wireless client accesses an Internet information server wireless client devices and a CDPD wireless network for 

within a protected realm and the proxy server automatically other wireless client devices. 

caches the credentials used to access the Internet informa- Referenced by 106 is one of the two-way interactive 

tion server. communication devices that can be a mobile device, a 

cellular phone, a wireless personal digital assistant, or a 

DETAILED DESCRIPTION OF THE 15 wireless capable remote controller, capable of 

INVENTION communicating, via airnet 102, with an antenna 108 that also 

Notation and Nomenclature represents a carrier infrastructure. It is generally understood 

that the earner infrastructure or antenna 108 serves simul- 

tn the following detailed description of the present taneously a plurality of the two-way interactive communi- 

invention, numerous specific details are set forth in order to 2Q cation devices, of which only one mobile device 106 is 

provide a thorough understanding of the present invention. shown in the figure. Similarly, connected to Internet 104 are 

However, it will become obvious to those skilled in the art a plurality of desktop personal computers (PC) 110 and a 

that the present invention may be practiced without these number of information server computers 112 (such as web 

specific details. In other instances, well known methods, servers), though only one representative, respectively, is 

procedures, components, and circuitry have not been 25 shown in the figure. Personal computer system 110, as 

described in detail to avoid unnecessarily obscuring aspects shown in the figure, may be an Intel processor based 

of the present invention. personal computer from Dell Computer, Inc. The personal 

The detailed description of the present invention in the computer system can execute a HTML Web browser such as 

following is presented largely in terms of procedures, steps, the Netscape Navigator in order to communicate via the 

logic blocks, processing, and other symbolic representations 30 Internet 104 using HTTP to access information stored in 

that resemble data processing devices coupled to networks. information server 112 that may be a workstation from Sun 

These process descriptions and representations are the Microsystems Inc. It is understood to those skilled in the art 

means used by those experienced or skilled in the art to most that personal computer 110 can store accessible information 

effectively convey the substance of their work to others therein so as to become an information server as well, 

skilled in the art. The method of the present invention along 35 Between the Internet 104 and the airnet 102 there is a link 

with the apparatus to be described in detail below is a infrastructure that comprises a proxy server device 114 and 

self-consistent sequence of processes or steps leading to a one or more wireless carrier infrastructures 108. The proxy 

desired result. These steps or processes are those requiring server device 114, also referred to as proxy server or 

physical manipulations of physical quantities. Usually, wireless data server or gateway server, may be a workstation 

though not necessarily, these quantities may take the form of 40 or a personal computer and performs mapping or translation 

electrical signals capable of being stored, transferred, functions. For example, the proxy server may map from one 

combined, compared, displayed and otherwise manipulated network protocol to another network protocol. Using the 

in a computer system or electronic computing devices. It proxy server 114, a mobile device 106 may communicate 

proves convenient at times, principally for reasons of com- with any one of the computer servers 112 or the personal 

mon usage, to refer to these signals as bits, values, elements, 45 computers 110 on the Internet via the wireless carrier 

symbols, operations, messages, terms, numbers, or the like. infrastructure 108. The proxy server 114 may host many 

It should be borne in mind that all of these similar terms are other applications that may be used by mobile devices and 

to be associated with the appropriate physical quantities and computer coupled to the Internet 104. 

are merely convenient labels applied to these quantities. The wireless carrier infrastructure 108 generally com- 

Unless specifically stated otherwise as apparent from the 50 prises a base station and an operation center for each type of 

following description, it is appreciated that throughout the wireless network supported. The base station controls radio 

present invention, discussions utilizing terms such as "pro- or telecommunication links with the mobile devices. The 

cessing" or "computing" or "verifying" or "displaying" or operation and maintenance center comprises a mobile 

the like, refer to the actions and processes of a computing switching center performing the switching of calls between 

device that manipulates and transforms data represented as 55 the mobile devices and other fixed or mobile network users, 

physical quantities within the computing device's registers Further, the operation and maintenance center manages 

and memories into other data similarly represented as physi- mobile services, such as authentication and oversees the 

cal quantities within the computing device or other elec- proper operation and setup of a wireless network. Each of 

tronic devices. the hardware components and processes in the base station 

60 and the operation and maintenance center for each type of 

A Wireless Data Network wireless network is known to those skilled in the art and not 

Referring now to the drawings, in which like numerals to be described herein to avoid unnecessarily obscuring 

refer to like parts throughout the several views. FIG. 1 aspects of the present invention. 

illustrates a schematic configuration in which the present The communication protocol of the World Wide Web 

invention may be practiced. A data network 100 comprises 65 (WWW) on the Internet 104 is the well-known HyperText 

an airnet 102 that is generally called wireless network and a Transport Protocol (HTTP) or H IT PS, a secure version of 

landnet 104 that is generally a landline network, each acting HTTP. HTTP runs on top of the Transport Control Protocol 
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(TCP) and the Internet Protocol (IP). HTTP is used to to communicate with proxy server 114. With display screen 

transfer information in the forms such as HTML and HDML 116 and keypad 118, a user of mobile device 106 can 

between the proxy server 114 and one the HTML web interactively communicate with proxy server 114 over airnet 

servers that reside in the computers 110, 112, or 122. 102. Upon activation of a predetermined key sequence 

The communication protocol between mobile computing 5 utilizing keypad 118, for example, the microcontroller ini- 

device 106 and proxy server 114 via aimet 102 may be one ti ates a communication session request to proxy server 114 

of the protocols specific to a wireless network. Examples of usi °g the client module in the ROM. Upon establishing the 

the protocols may include Wireless Session Protocol (WSP) communication session, mobile device 106 typically 

and Handheld Device Transport Protocol (HDTP). WSP or receives a single HDML or WSP deck from proxy server 114 

HDTP preferably runs on User Datagram Protocol (UDP) is *o and stores the deck as cached in the RAM. As described 

used to control the connection of a browser program in above, an HDML deck comprises one or more cards. Each 

mobile device 106 to proxy server 114. The browser pro- card includes the information required to generate a screen 

gram in the mobile device 106 may support one or more of display on display screen 116. The number of cards in a card 

markup languages, such as Wireless Markup Language deck is selected to facilitate efficient use of the resources in 

(WML), Handheld Device Markup Language (HDML) and " mobile device 106 and in airnet network 102. 

compact HyperText Markup Language (cHTML). Similar to _ _ . A „,. , _ 

regular HTML, cHTML, WML or HDML language is a lag Interaet Proxv for WircIess Data Network 

based document language that comprises a set of commands Referring now to FIG. 2, there is shown a functional block 

or statements specified in a card that specifies how infer- diagram of an Internet proxy system for multiple wireless 

mation is to be displayed on a small screen of the mobile 20 devices. Web server devices (202, 204, 205, 206, and 207) 

device 106. To facilitate the description of the present provide information accessible to other computing devices 

invention according to one embodiment, WML and HDML on the Interaet 104. A first wireless mobile device 106 and 

will be considered below. The browser that supports both a second wireless mobile device 107 access the information 

WML and HDML and operates on both WSP and HDTP in the web server devices (202, 204, 205, 206, and 207) 

may be obtained from Unwired Planet, Inc. located at 800 25 coupled to the Internet via Internet proxy server device 114 

Chesapeake Drive, Redwood City, Calif. 94063. through first wireless network 102. 

Normally a number of cards are grouped into a deck that The actual Internet communication and translation is 

is the smallest unit of HDML information that can be performed by Internet Proxy Process 217. The Internet 

exchanged between the mobile device 106 and the proxy Proxy Process 217 uses an Internet Protocol (IP) address for 

server 114. The specifications of HDTP, entitled "HDTP communicating with other devices coupled to the Internet 

Specification" and HDML, entitled "HDML 2.0 Language 104. FIG. 2 further illustrates a third wireless mobile device 

Reference" are enclosed and incorporated herein by refer- 176 and fourth wireless mobile device 177 that access the 

ence in their entirety. Furthermore, additional information information in web server devices (202, 204, 205, 206, and 

about the Wireless Session Protocol (WSP) and the Wireless 207) via Interaet proxy server device 114 through a second 

Mark-up language (WML) can be found in the Wireless wireless network 172. The second wireless network 172 has 

Application Protocol Forum at http://www.wapforum.orq/. different properties than the first wireless network 102. 

WSP and HDTP are a session-level protocols that are Thus, Internet Proxy process 217 may be responsible for 

similar to HTTP, but WSP and HDTP are designed to incur providing Internet access to several wireless clients that 

less overhead since HDTP are designed for use in lower 40 communicate using different wireless infrastructures, 

bandwidth wireless environments. For example, the WSP To avoid possible ambiguities in further description of the 

and HDTP protocols have been designed to minimize the present invention, each server device, such as web server 

number of packets that need to be exchanged when, nego- devices (202, 204, 205, 206, and 207) and proxy server 

tiating a connection between a wireless client device and a device 114, refers to a piece of hardware equipment that 

wireless server before information can be exchanged. 45 comprises one or more microprocessors, working memory, 

Furthermore, WSP and HDTP are optimized for use within buses and necessary interface and other components that are 

thin client devices, such as mobile computing devices familiar to those skilled in the art while a server module 

including cellular phones and personal digital assistants. means compiled and linked processes of the disclosed 

Mobile computing devices typically have significantly less system loaded into the working memory to perform desig- 

computing power and memory than desktop personal com- 5Q na ted functions, according to the invention, through the parts 

puters. Exchanging a very small number of packets is one of and components in the server device. Additional details on 

the desired features for a mobile device with very limited the design, construction, and operation of one possible proxy 

computing power and memory in order to effectively inter- server embodiment is described in commonly assigned U.S. 

act with a landline device. application Ser. No. 08/978,701, entitled "Method and 

„ T . , _ _ . „ Architecture for an Interactive Two-way Data Communica- 

A Wireless Computing Device {{Qn Networir by ^ Rossman[1) Md U St app i icatioD Ser . 

To facilitate the description of the disclosed system, some No. 09/071,235, entitled "Method and System for Integrat- 

of the features in mobile computing device 106 are recited. ing Narrowband and Wideband Data Transports", by 

According to one embodiment, mobile computing device Stephen S. Boyle, et al, filed on Apr. 30, 1998, which is 

106 is a mobile phone. Mobile phone 106 comprises a 60 incorporated herein by reference in their entirety, 
display screen 116 and a keyboard pad 118 that allow a user 

thereof to communicate interactively with the mobile phone. Interaet HTTP Basic Authentication 

The digital hardware components including a As previously set forth, a number of services available on 

microcontroller, a ROM, and RAM in mobile phone 106 are the global Internet require that a user authenticate itself as an 

known to those skilled in the art. 65 entity that is allowed to access the particular service. For 

The compiled and linked processes are typically stored in example, when an investor wishes to access his brokerage 

the ROM as a client module that causes mobile device 106 account on a brokerage house's server, the investor is 
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required to authenticate himself before access to the bro- its cache by using the URL that a particular request is being 

kerage account is granted. The user's web browser will directed towards. If the URL belongs to a known protect 

request the user to enter a set of credentials comprising a realm that the proxy server has a credential for, then the 

userid (usemame) and a password. The web browser will proxy server attaches the credential for that realm to the 

then submit the credentials when communicating with the 5 request and the request is forwarded to the Internet server, 

brokerage house's servers. The teachings of the present invention provide several 

The standard method of authenticating a client system is advantages. First, the present invention reduces the number 

to use the basic authentication system set forth in version 1.1 of bits and bvtes tnat must oe transmitted over the low 

of the HTTP specification available in the Internet Engi- bandwidth and expensive wireless communication infra- 

neering Task Force (IETF) Request For Comments (RFC) 10 structure since a credential does not need to be sent for every 

document 2068. In the RFC 2068 denned basic authentica- request into a protected realm. Second, the present invention 

tion system, a protected server will request a client to reduces the amount of memory used within each wireless 

authenticate itself by sending a response with a header that client device since the wireless user agent does not have to 

requests the authentication for a particular realm such as implement the mechanism for saving the credentials nor 

15 store the credentials. Third, the present invention reduces the 

www-Authenticate: Basic real m-"WallyWo rid" number of messages sent across the wireless communication 

if the wireless user agent does not have a credential caching 
The client should respond with a request that contains a mechanism. Finally, the present invention relieves the user 
header having a proper authorization credential that is from entering the credentials over and over again for access- 
encoded with base64 encoding. For example, If the user 2 o ing the resources that belong to the same realm if the 
agent wishes to send the userid "Aladdin" and password wireless user agent does not have the caching mechanism or 
"open sesame", it would use the following authorization the size of the cache in the wireless client device is small, 
header field: Implementation Summary 

Referring back to FIG. 2, to implement a credential 

Authorization: Basic QWxhZGRpbipvcGVuIHNlc2FtZO= 25 cachmg ^ p ro?£y 2yj fc prQ . 

If the protected server approves the authentication pmmed to use a credential cache 214 for every request sent 

credential, the protected server will process the request. For from w irele s S client devices to Internet resources^ 

all subsequent requests to servers within the same protected Specifiodly, the Internet Proxy Process 217 is programmed 

realm, the client is recommended to include the same to lock for authorization credentials in each 

authorization header field to avoid the request being denied 30 ^ntial is detected, then the Internet Proxy Process 217 

for lack of authorization stores the new credential contained in the headers of request 

To prevent the user from being forced enter the credentials a credential cache 214. If the Internet Proxy Process 217 

for every subsequent request, the user agent (the web client ** s ^detect an authorization header with a credential 

or web browser) may cache the credential along with the ^ ^ Internet Proxy Process 217 examines the credential 

name of the realm. TTius, for all subsequent requests to 35 cachc 2 \ 4 to d f™ ine * the 1°*™* *™y Process 217 has 

servers within that same realm, the user agent automatically Piously cached a credential for the Internet resource that 

attaches the authorization credential without the need for 15 bem S 1 ™ d - If l T he Internet Proxy Process 217 locates 

user intervention a credentia ^ f° r tne Internet resource being accessed, the 

credential is attached to the request through the HTTP 

Cached Authentication for Wireless Devices 40 "Authorization:" header and forwarded to the desired Inter- 
net resource. 

As set forth in the previous section, a number of services For example, if wireless client device 106 wishes to 

available on the global Internet require that a user authen- communicate with web server 206 within protected realm 

ticate itself before access to a protected service. With the 230, the wireless device 106 must provide a credential. The 

Basic Authentication system defined in RFC 2068, authen- 45 credential may be supplied during an initial request (perhaps 

tication credentials must be sent along with every request to the wireless device 106 cached the credential) or the cre- 

a resource within a protected realm. In a wireless commu- dential may be supplied in response to a message from web 

nication environment where the communication overhead server 206 that specifies that access has been denied using 

must be kept to a rm'nimum, the present invention proposes the well known HTTP 401 status code. When the Internet 

eliminating the majority of authentication requests and 50 Proxy Process 217 sees the credential in a request from the 

authorization response that are transmitted. Specifically, in wireless device 106, the Internet Proxy Process 217 stores 

the present invention the proxy server that handles commu- the credential into credential cache 214. On all subsequent 

nication between the wireless client devices and resources accesses to web server 206, the wireless device 106 does not 

on the Internet is used to cache credentials. nC cd to provide a credential since the Internet Proxy Process 

The proxy server intercepts and caches a wireless client's 55 217 will automatically insert the credential from the creden- 

credentials when a credential is first sent from the wireless tial cache 214. Furthermore, if the wireless device 106 

user agent to a protected Internet server. To intercept the accesses web server 205 or web server 207, the wireless 

credential, the proxy server looks up the credential in the device 106 still does not need to provide a credential. No 

HDTP or WSP headers that are equivalent to the HTTP credential is required since web server 205 and web server 

"Authorization:" header in the request from the wireless user 60 207 reside within the same protected realm as web server 

agent. Once the credential for a particular realm is found, the 206 such that the Internet Proxy Process 217 will automati- 

credential is cached in the memory (short term or long term) cally insert the credential from the credential cache 214 

of the proxy server. After first sending the credential for An Example Cached Credential Transaction 

accessing the resource in a particular realm, the wireless user To fully describe the teachings of the present invention, a 

agent does not need to attach the credential for all the 65 typical cached credential transaction will be described with 

subsequent requests for any other resources belong to the reference to an exemplary transaction between a wireless 

same realm. The proxy server retrieves the credential from client device, the Internet proxy server, and a protected 



WEST 



US 6,606,663 Bl 

9 10 

Internet server. Id the example, it is assumed that the proxy If no realm containing the destination URL is found in the 

server has been configured in a manner such that the wireless credential cache, the proxy server 302 just forwards the URL 

user agent must explicitly request caching of credentials in request to the origin server. An example of this is illustrated 

order for the proxy server to perform the caching functions. at step 310 where the wireless client agent in the wireless 

It should be noted that wireless client device, has the option 5 client device 301 sends a request 311 destined for Internet 

not to enable the credential caching function in the proxy information server 303 to the proxy server 302. The proxy 

server and that the proxy server has the option to enable the server 302 then examines the request and determines that 

credential caching regardless if the wireless user agent URL is not within any known protected realm since at this 

caches the credentials. point in the example there are no known protected realms in 

Referring to the top of FIG. 3 the three units involved in the proxy server's credential cache. Thus, the proxy server 

an authenticated transaction are displayed: a wireless client 302 just translates the request at step 315 and passes the 

device 301, an Internet proxy server 302, and a protected translated request 317 to the destination URL, Internet 

Internet server 303. Beneath the three units, a series of steps information server 303. 

for each unit and messages sent between the units will be In the example of FIG. 3, the Internet information server 

described. 303 is within a protected realm 397. When the translated 

To enable proxy server credential caching for a particular 15 request 317 reaches the Internet information server 303 

wireless client device, the wireless user agent makes a within protected realm 399, the Internet information server 

request that contains a request for proxy caching of creden- 303 will deny the request as stated in step 320. To deny the 

tials as stated in step 305. In the embodiment of FIG. 3, the request, the Internet information server 303 sends a response 

wireless agent makes such a request by including the header message 321 that contains the well known HTTP status code 

"x-up-ba-enable: 1" in a WSP session creation message 306. 20 401 that indicates accesses has been denied because the 

Responding to the proxy caching enable request, the proxy access can not be authorized. The response message also 

server 302 enables credential caching for that particular includes an authenticate challenge by including the HTTP 

wireless client device at step 307. At this time, the proxy "WWW-Authenticate:" header which challenges the recipi- 

server 302 may create an empty cache record associated ent to provide an authorization credential. In the example of 

with the wireless client device's account for storing creden- 25 FIG, 3, the HTTP "WWW-Authenticate:" header specifies 

tials. The proxy server 302 then confirms that responding to that the basic authentication system is being used. The HTTP 

the session creation request with the same "x-up-ba-enable: "WWW-Authenticate:" header also specifies a name of the 

1" header that has enabled caching in the response message realm that is being accessed. In the example of FIG. 3, the 

308 to the session creation request. When this negotiation is name "Valley" assigned to the protected realm is passed in 

done, both the wireless user agent 301 and the proxy server 30 the challenge authenticate header. 

have agreed 302 that the caching of credentials will be When the proxy server 302 receives an authenticate 

performed by the proxy server 302 so that the wireless user challenge message from an Internet server such as Internet 

agent 301 does not need to perform caching. information server 303, the proxy server 302 may first look 

After proxy caching of credentials has been enabled, the up and examine the credential cache using the realm speci- 

proxy server 302 examines all subsequent requests and 35 fied in the challenge message. If a matching cache entry for 

determines if a cached credential should be attached to the that realm is found, the proxy server 302 retrieves the 

request before the request is translated from WSP or HDTP credential information associated with the realm and 

into HTTP forwarded to the desired Internet information re-submits the HTTP request by setting the "Authorization:" 

server. The examination of each request comprises examin- header that carries the credential retrieved from the creden- 

ing the known protected realms in the cache to see if the 40 tial cache. A new cache entry will be create din the credential 

destination URL of the request belongs to one of the known cache when the HTTP request is succeeded. The new cache 

protected realms. If the requested URL belongs to a cached entry for the credential is first created in the cache as the 

realm, the proxy server 302 will attach the credential asso- proto entry. After the HTTP request is proved successful, the 

ciated with that realm by using the HTTP header "Autho- proto cache entry is validated and its status is promoted from 

rization:" and forwards the request to the desired server 45 proto to valid. A proto cache entry simply means that further 

In one particular embodiment, the proxy server 302 parses validation is required before the cache entry can be used for 

the URL of the request to obtain the Internet host name and other requests that access the resources in the same realm, 

the path of the desired resource in order to determine if the The cache entry may contain the host name, the realm name, 

URL request belongs to a protected realm in the cache. The the credential, the path, and the port. The duplicated cache 

proxy server 302 then uses host name and path pair to so entry may be removed when it is detected. However, if no 

attempt to locate a matching entry in the credential cache. credential is found within the cache, the proxy server 302 

The host name must exactly match the host name in a cache translates the authenticate challenge response as stated in 

entry in order for a cache "hif ' to occur. The path compari- step 325. The proxy server 302 forwards translated authen- 

son is performed using root path comparison. Specifically, ticate challenge message 327 to the wireless user agent 

there will only be a path match if the path in the cached entry 55 through WSP along with a corresponding WSP or HDTP 

is a root path of the path in the URL. For example, a cache "Authenticate:" header that carries the challenge to. the 

entry containing the path "/alpt^eta" will match a request wireless user agent. It should be noted that the WSP or 

having the path "/alpha/beta/gamma" for the purpose of the HDTP response 327 with the authenticate challenge includes 

present invention because "/alpha/beta" is the root path of the name of the realm to be accessed ("Valley"), 

"/alpha/beta/gamma". If an entry in the credential cache 60 After receiving the response 327 with the authenticate 

matches both the host name and path then the requested challenge, the wireless client agent examines a local cache 

resource specified by the URL belongs to the protected of credentials using the name of the realm to be accessed. If 

realm associated with the cache entry having the matching the local client cache has an entry for the specified realm, 

host name and the path pair. In one embodiment, each entry then the wireless client agent resubmits request 333 along 

may include a TCP port number. In such an embodiment, the 65 with the authorization information from the credential 

port number must also match exactly to identify a matching cache, which are carried in the WSP header "Authoriza- 

entry. tion:". 
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If the local client cache does not include credential belong to the same realm, then the proxy server 302 will 

information for the specified realm or if the user agent does automatically insert the cached credential into request before 

not have a credential cache, then the user agent asks the user it is forwarded on the Internet. Because the proxy server 

for credentials to access the specified URL. After the user holds the credential in its cache, the wireless client device 

provides the credentials for the desired resource (Internet 5 301 does not send the credential in the new requests to the 

information server 303), the wireless client agent resubmits proxy server. 

the request 333 along with the credential information as the Before a cache entry is validated, the proxy server 302 

user entered. When the wireless client device 301 re-submits will examine to see if the newly created cache entry is a 

the request 333, it includes the WSP" Authorization:'* header duplicate of an earlier credential cache entry. If the new 

that carries the credential information in the request to the 10 credential cache entry is a duplicate of an earlier entry, then 

Internet information server 303 through the proxy server the older cache entry is removed. The newly created cre- 

302. The re-submitted request also includes the name of the dential cache entry is considered a duplicate if the path of the 

realm ("Valley" in this example). In one embodiment, the newly created credential cache entry contains a path that is 

wireless client device 301 specifies the realm in a "x-up- a root path to a path in an existing entry in the cache and all 

ba-realm:" header in the re -submitted WSP or HDTP request 15 the other fields in the cache entry match. For instance, anew 

333. cache entry (name/password, "REALM", 

When the proxy server 302 receives the credentials being www.uplanet.com, /alpha, 8200) is a duplicated entry of an 

submitted in the "Authorization:" header, the proxy server existing cache entry containing(name/password, "REALM", 

302 creates a proto credential cache entry in the credential www.uplanet.com, /alpha/beta, 8200) since the request URL 

cache as stated in step 330. The credential cache entry 20 contains "/alpha" which is a root path of "/alpha/beta". In 

comprises the actual credential (usually a userid and pass- this example, name/password is the use rid/password and 

word pair), the name of the realm, the name of the host "REALM" is the realm, 

server from the URL, the path name from the URL, and the Implementation Details 

port being accessed. At minimum, each cache entry must Each credential placed into the credential cache does not 

contain the credential and the name of the protected realm. 25 remain in the cache indefinitely. The credentials expire using 

For example, if the wireless client device 301 is accessing the cache expiration rules. In one embodiment, the wireless 

the Internet information server 303 in the "Valley*' realm client device invalidates or deletes all cache entries when the 

using the internet URL "https://www.uplanet.com :8200/ WSP session has ended. A typical expiration time may be 

alpha/beta" with the userid "Aladdin" and the password one day. However, the wireless client device may expire 

"sesame" then the credential cache stores a proto cache entry 30 sooner than the WSP session cycle by using a short and fixed 

with the credential "Aladdin/sesame" (the userid and pass- time period (e.g., every 30 minutes) for expiration if the 

word pair), the realm name "Valley", the host name proxy server chooses such policy. In another embodiment, 

"www.uplanet.com", the path "/alpha/beta", and the TCP each cache entry is given its own expiration time. The 

port "8200". At a minimum, the credential entry must expiration time may be extended if a resource within a 

contain the ere dential 1 'Aladdin/sesame" and the realm name 35 known protected realm is accessed before expiration time. 

"Valley". Note that the realm name ("Valley") is obtained In one embodiment, the proxy server 302 may send a 

from the "x-up-ba-realm:" header in the re-submitted WSP special credential request HDML or WML deck or prefor- 

or HDTP request 333. The newly created credential cache matted display page. If an HDML or WML deck is used, the 

entry is marked as proto since the user (or the wireless client message will also contain the return address in the form of 

device) may have provided a credential that is not validated 40 a special proxy URI such as like "uplink:". The special 

until the corresponding HTTP request succeeds. credential deck or page asks the user to enter a credential and 

After creating the proto credential cache entry, the proxy directs the user agent to send a special request to the proxy 

server 302 translates the re-submitted WSP or HDTP request server 302 The special request from the wireless client 

333 into an HTTP request 337 with an H ITV'Authoriza- device 301 contains the credential, the realm, the host, the 

tion:" header. The translated HTTP request 337 with an 45 path, and the port number (if necessary). In such an 

HTTP "Authorization:*' header is sent to the Internet infor- embodiment, the credential caching system may be imple- 

mation server 303. Assuming that the correct credentials for mented even if the wireless client device is unaware of the 

the realm were provided in the re-submitted WSP or HDTP basic authentication concepts. For example, a very simple 

request 333, the Internet information server 303 then pro- browser may not implement authentication/authorization 

cesses the request at step 340. The Internet information 50 features. Furthermore, a "dumb terminal" type client device 

server 303 then responds with a normal HTTP response 341. may not even implement a markup language interpreter such 

In response to the normal response that indicates the that the preform at ted page is simply displayed on the screen 

authorization succeeded, the proxy server 302 validates the and the request information is returned, 

recently created proto credential cache entry at step 350. The It should be noted that the credential caching system is not 

validation step promotes the proto cache entry as the valid 55 mandatory. If a particular wireless client device user does 

cache entry in the credential cache so that it can be reused not trust the security of the credential caching system, then 

for all other requests that access the resources in the same the user can turn off the proxy server credential caching, 

realm. The proxy server 302 also translates the response and However, in one embodiment, the administrator has the 

passes the translated HDTP or WSP response 352 to the power to override the wireless client device user's wishes, 

wireless client device 301. 60 Specifically, the proxy server administrator has the option to 

All the valid credential cache entries, including the newly force credential caching regardless if the wireless user agent 

validated credential cache entry, will then be examined when caches the credentials. This option may be used during peak 

the proxy server receives the new requests from the wireless data traffic periods such that the data traffic is minimized, 

user agent in the future. A future request from the wireless The foregoing has described a method and apparatus for 

client agent 301 may specify a resource within the same 65 caching credentials in a proxy server environment. It is 

protected realm that was just placed into the cache. If a new contemplated that changes and modifications may be made 

request from the wireless client agent 301 is addressed by one of ordinary skill in the art, to the materials and 
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arrangements of elements of the present invention without 
departing from the scope of the invention. 
We claim: 

1. A method of caching credential information with a 
proxy server, said method comprising: 5 

proxying to a set of client devices on a wireless network 
using a proxy server, a set of services on a wireline 
network; 

enabling caching of credentials at a location accessible by 10 
the proxy server using a wireless user agent; 

creating a credential cache accessible by said proxy 
server; 

intercepting a first request to access a resource at a 
specified network locator on the wireline network using 15 
said proxy server, the first request transmitted by a 
client device and destined for a resource in said wire- 
line network, the first request including a credential; 

storing said credential in a credential entry in said cre- 
dential cache if said credential is not present in the 20 
cache; and 

in response to receiving a subsequent request from the 
client device to access the resource on the wireline 
network: 25 
accessing the credential stored in the credential cache; 
and 

sending the accessed credential for authentication to the 
resource with the subsequent request, such that the 
client device is not required to send the credential over 30 
the wireless network for the subsequent request to be 
satisfied. 

2. The method as claimed in claim 1 wherein storing said 
credential in said credential cache comprises creating a proto 
credential entry, said credential is passed to said resource, 35 
and said proto credential entry is validated if said resource 
approves of said credential. 

3. The method as claimed in claim 1 wherein each 
credential entry comprises a credential and a realm name. 

4. The method as claimed in claim 3 wherein each 40 
credential entry further comprises a host name, a port 
number, and a path for a desired resource. 

5. The method as claimed in claim 4 wherein said proxy 
server compares a desired host and desired path in future 
requests against said host name and said path in said cache 45 
entry. 

6. The method as claimed in claim 1 further comprising: 
informing said client device that said proxy server will 

perform credential caching such that said client device 
only sends each credential only once. so 

7. The method as claimed in claim 1 wherein said proxy 
server uses said stored credential for all subsequent accesses 
to said resource. 

8. The method as claimed in claim 1 wherein said entries 

in said credential cache expire according to a set of defined 55 
expiration rules. 

9. The method as claimed in claim 1 wherein said 
credential was sent by said client device after being denied 
access to said resource. 

10. The method as claimed in claim 1 wherein said 60 
credential specifies a protected realm wherein the credential 
applies. 

11. The method as claimed in claim 10 wherein said proxy 
server uses said stored credential for all subsequent accesses 

to resources within said protected realm. 65 

12. The method of claim 1 wherein the wireless user agent 
is a web browser. 
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13. A method comprising: 

enabling caching of credentials at a location accessible by 
an intermediary network node using a wireless user 
agent; 

intercepting a first request destined for a resource at a 
specified network locator on a wireline network trans- 
mitted by a client device over a wireless network, the 
first request including an associated credential; 

intercepting a subsequent request without the associated 
credential at the intermediary network node, the request 
transmitted by the client device over the wireless 
network and destined for a resource at a specified 
network locator on the wireline network; and, in 
response to the request: 

using the intermediary network node to locate a cached 
credential associated with the client device; and 

sending the request with the cached credential from the 
intermediary network node to the resource over the 
wireline network, the resource authenticating the 
client device using the credential. 

14. A method as recited in claim 13, wherein the inter- 
mediary network node comprises a proxy server to proxy 
requests from the client device to resources on the wireless 
network. 

15. A method as recited in claim 13, wherein the creden- 
tial comprises a username and password. 

16. A method as recited in claim 13, wherein the creden- 
tial is not cached if the user specifies that the credential is not 
to be cached. 

17. The method of claim 13 wherein the wireless user 
agent is a web browser. 

18. An intermediary network node comprising: 

means for enabling caching of credentials at a location 
accessible by an intermediary network node using a 
wireless user agent; 

means for intercepting a first request including an asso- 
ciated credential from a mobile device over a wireless 
network, the first request destined for a resource at a 
specified network locator within a protected realm on a 
wireline network; 

means for intercepting a subsequent request without an 
associated credential at the intermediary network node 
from the mobile device over the wireless network, the 
request destined for a resource within the protected 
realm on the wireline network; 

means for using the intermediary network node to locate 
in a credential cache a credential associated with the 
mobile client device in response to the subsequent 
request; and 

means for sending the subsequent request with the cre- 
dential from the intermediary network node to the 
resource at the specified network locator over the 
wireless network, the resource authenticating the client 
device using the credential. 

19. An intermediary network node as recited in claim 18, 
wherein the intermediary network node operates as a proxy 
server for proxying requests from the mobile client device to 
resources on the wireline data network. 

20. An intermediary network node as recited in claim 18, 
wherein the credential comprises a username and password. 

21. An intermediary network node as recited in claim 18, 
wherein the credential is not cached if the user specifies that 
the credential is not to be cached. 

22. The network node of claim 18 wherein the wireless 
user agent is a web browser. 
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23. A method comprising: 

receiving, at an intermediary network node enabled by a 
wireless user agent to store credentials, a credential 
from a client device over a wireless network, wherein 
the credential is associated with a first request by the 
client device destined for a first resource at a specified 
first network locator within a protected realm on a 
wireline network; 

caching the credential in a credential cache using the 
intermediary network node if the credential is not 
present in the cache; 

receiving, at the intermediary network node, a second 
request from the client device without an associated 
credential, the second request destined for a second 
resource at a specified second network locator within 
the protected realm on the wireline network; 

using the intermediary network node to locate the cached 
credential in the credential cache in response to the 
second request; and 

sending the cached credential with the second request 
from the intermediary network node to the resource 
over the wireline network, the resource authenticating 
the client device using the credential. 

24. A method as recited in claim 22, wherein the inter- 
mediary network node comprises a proxy server to proxy 
requests from the client device to resource on the wireless 
network. 

25. A method as recited in claim 23, wherein the creden- 
tial comprises a username and password. 

26. A method as recited in claim 23, wherein the creden- 
tial is not cached if the user specifies that the credential is not 
to be cached. 

27. A method as recited in claim 23, wherein the creden- 
tials in the credential cache expire according to a set of 
defined expiration rules. 

28. The method of claim 23 wherein the wireless user 
agent is a web browser. 

29. A method comprising: 

creating a credential cache accessible by a proxy server 40 
enabled by a wireless user agent to cache credentials, 
the proxy server proxying to a set of client devices on 
a wireless network a set of services on a wireline 
network; 

intercepting a first request to access a resource at a 
specified network locator on the wireline network using 
said proxy server, the first request transmitted by a 
client device and destined for a resource in said wire- 
line network, the first request including a credential; 

storing said credential in a credential entry in said cre- 
dential cache if said credentials is not present in the 
cache; and 

in response to receiving a subsequent request from the 
client device to access the resource on the wireline 
network: 

accessing the credential stored in the credential cache; 
and 

sending the accessed credential for authentication to the 
resource with the subsequent request, such that the 
client device is not required to send the credential 
over the wireless network for the subsequent request 
to be satisfied. 

30. The method as claimed in claim 29 wherein storing 
said credential in said credential cache comprises creating a 
proto credential entry, said credential is passed to said 
resource, and said proto credential entry is validated if said 
resource approves of said credential. 
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31. The method as claimed in claim 29 wherein each 
credential entry comprises a credential and a realm name. 

32. The method as claimed in claim 31 wherein each 
credential entry further comprises a host name, a port 
number, and a path for a desired resource. 

33. The method as claimed in claim 32 wherein said proxy 
server compares a desired host and desired path in further 
requests against said host name and said path in said cache 
entry. 

34. The method as claimed in claim 29 further compris- 
ing: 

informing said client device that said proxy server will 
perform credential caching such that said client device 
only sends each credential only once. 

35. The method as claimed in claim 29 wherein said proxy 
server uses said stored credential for all subsequent accesses 
to said resource. 

36. The method as claimed in claim 29 wherein said 
entries in said credential cache expire according to a set of 
defined expiration rules. 

37. The method as claimed in claim 29 wherein said 
credential was sent by said client device after being denied 
access to said resource. 

38. The method as claimed in claim 29 wherein said 
credential specifies a protected realm wherein the credential 
applies. 

39. The method as claimed in claim 38 wherein said proxy 
server uses said stored credential for all subsequent accesses 
to resources within said protected realm. 

40. The method of claim 29 wherein the wireless user 
agent is a web browser. 

41. A method comprising: 

receiving, at a proxy server enabled by a wireless user 
agent to store credentials, a credential, comprising a 
user name and a password, from a mobile client device 
over a wireless network, wherein the credential is 
associated with a first request by the mobile client 
destined for a first resource at a specified first network 
locator within a protected realm on a wireline data 
network; 

caching the credential in a credential cache if the creden- 
tial is not present in the cache, wherein the credentials 
in the credential cache expire according to a set of 
defined expiration rules, using the proxy server unless 
the user specifies that the credential is not to be cached; 

receiving, at the proxy server, a second request without an 
associated credential from the mobile client over the 
wireless network, the second request destined for a 
second resource at a specified second network locator 
within the protected realm on the wireline data net- 
work; 

accessing the cached credential in the credential cache in 
response to the second request, using the proxy server; 
and 

proxying the second request to the resource over the 
wireline data network, including sending the cached 
credential to the resource with the second request for 
authentication of the mobile client at the resource, such 
that the mobile client is not required to send the 
credential over the wireless network for the second 
resource to satisfy the second request. 

42. The method of claim 41 wherein the wireless user 
agent is a web browse. 
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